MEMORANDUM FOR: Executive Secretary, DCI Security Committee 


FROM: aed 
CIA Alternate Member, DCI Security Committee 


SUBJECT: APEX Industrial Manual 


1. On 4 March 1980, your office forwarded a draft copy 
of the APEX Industrial Manual to the Policy and Plans Group, 
Office of Security, for information and retention. The trans- 
mittal slip suggested that PPG might wish to circulate the 
draft copy within OS to get comments which, in turn, could 
be introduced, as appropriate, by the Executive Secretary, 

DCI Security Committee. 


2. While realizing that the deadline for comments 
regarding the proposed draft is past, the following sugges- 
tions, which are the result of internal OS coordination, are 
being forwarded for your information and submission, if 
appropriate, should the opportunity present itself at a later 
date for further input into the APEX Industrial Manual: 


Page 1, paragraph 2, line 6: It is suggested 
that the =e Wauthority" be substituted for the 
word "activity." Rationale: The change will add 
clarity and preciseness. 


Page 1, paragraph 5: Concern was expressed 
as to how the government would assure that the 
implementing guidance to contractors is uniform 
from various government officials or agencies. 
It is suggested that any such guidance should 
be reviewed by the APEX Steering Group before 
any implementing directives are published. 


Page 2, paragraph 8: The requirement for 
annual inspections of contractor APEX control 
Facilities may be unrealistic. Resource limita- 
tions may make the goal of annual inspections 


unattainable. 
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Page 3, paragraph 12: The annual (January) 
revaTLiation Or access approvals, while a worthy 
goal, may, like the annual inspection cited in 
the above paragraph, be unrealistic. This pro- 
posal will require extensive contractor input, 
the cost of which will be passed on to the 
government. Resource limitations may make 
the annual revalidation goal unattainable. 


Page 42 paragraph l6éc: It is Suggested 
that a specific time frame be established for 
dispatching tracers when receipts are not re- 
turned. The establishment of such a time frame 


will serve as a guide for government as well as 
industrial contractors. 


Page 7, paragraphs 23a and 23b: In both 
paragraphs a-:an » it 1s suggested the words 
“official or" be inserted before the word "non- 
official." Rationale: A great deal of culti- 
vation and possible elicitation of sensitive 
information could be accomplished by foreign 
nationals, be they representatives of DCID 1/20 
countries or not, while operating under the 
blessing of an "official" contact. This being 
the case, it is felt that "official" as well 
as "nonofficial" contacts should be reportable. 


Page 8, paragraph 26: The colon at the end 
of the page should Ee replaced with a paragraph 


classification marking. (U) is suggested. 


Pages 10 and 11, paragraphs 35. 38 and 39: 
It is suggested that a phase TIT level briefing, 
or its equivalent, be reinstated. Rationale: 
Paragraph 35 states that persons being briefed 
in the APEX-( ENERAL category will be told "their 
industrial firm has a contract or contracts with 
U. S. Government entities but may not necessarily 
be told of the specific departments or agencies." 
Since they "may" or "may not'' be told of the 
specific sponsoring agency, it will be impossible 
to determine whether a person briefed APEX -GENERAL 
at either the phase I or phase II level is aware 
of the true sponsorship of a particular project. 
In other words, with the deletion of phase III 
level briefings, there is no quick and definitive 
method of determining who has or has not been 
briefed regarding true sponsorship. 
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Paragraphs 38 and 39 also contain language 
which makes it impossible to determine whether 
a person is aware of true sponsorship. Para- 
graph 38 states that phase II level briefings 
permit knowledge of the sponsoring agency among 
other things, but then cautions that "it should 
not be assumed that all details will be given 
to all phase II accessed individuals." Para- 
graph 39 states that “generally” access to the 
cited subcompartment would not allow access to 
certain information, including details about 
government sponsorship. It is felt that to 
definitively determine who knows how much about 
what given activity a phase III level briefing 
or some equivalent must be reinstated. 


Page 11 paragraph 38, line 1: The phrase 
“this level o operational” is inconsistent 
with the preceding and following paragraphs 
and should not appear in italicized bold-face 


print. 


Page 12, paragraph 42: The entity "APEX 
control Starer is cited, without further 
elaboration, in this paragraph for the first 
time in the Manual and then is subsequently 
referred to at various points in the remainder 
of the document. It is suggested that the 
duties and composition of the APEX Control 
Staff be addressed at the beginning of the 
Manual, possibly under the "Organizational 
Structure" section on page 2. It is also 
noted that the need to define "APEX Control 
Staff" also exists in the "Security Manual 
for Government." 


Page 12, paragraph 43: It is suggested 
that this paragraph be rephrased to eliminate 
the “at least annually" inspection of Contractor 
APEX Control Facilities (CACF). Preferred 
wording would be similar to that utilized on 
page 14, paragraph 48 ("technical security") 
which provides for inspections (1) upon 
accreditation, (2) following major physical 
renovation, and (3) at the discretion of the 
SIO. Rationale: Resource and budgetary 
limitations preclude fulfillment of the goal 
of annual inspections of all CACFs. 
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Page 14, paragraph 49: It is suggested that 
the wording oft is paragraph be changed to read: 
“ .) 6. in compliance with DCID 1/16 and standard 
requirements ...." 


Also, it is proposed that the title of this 
paragraph be changed from ‘Computer Security" to 
"Information Systems Security."' Rationale: The 
reference to DCID 1/16 provides a precise standard 
which can, as necessary, be supplemented by the 
responsible SIO. The title change is felt to be 
more descriptive and will reflect cognizance over 
information systems, not necessarily just those 
having to do with computers. 


Page 14 paragraps 50: The wording of this 
paragraph Shoul e changed to make it clear that 


the responsible government office will arrange 

the required inspections and tests, and advise 

the contractor of required corrective measures. 
However, it should be the contractor who schedules 
and takes the corrective action, after which the 
responsible government official monitors compliance. 
Rationale: The responsibility and expense of 
required corrective action should clearly be 

shown to belong to the contractor. 


Page 14 aragraph 51, line 4: The spelling 
of uneeeusTiy’ shouLt be correcte * 


Page 17, paragraph 59d: It is suggested 
that this paragrap @ revised to require that 
APEX document control numbers be placed on all 
pages of APEX controlled documents, not just 
on the front cover (if any), title page (if any) 
and front page. Rationale: If interior pages 
of APEX controlled documents bear no control 
number, control is lost if the interior pages 
should ever become separated from the basic 
document. For example, how would lost pages 
of documents, once found, be traced pack to 
the original? How would a contractor employee, 
displaying a document on a cathode ray tube 
(CRT) in order to make a hard copy of it know 
the number to use to apply a control to the 
new document? If most (interior pages) of the 
controlied materials in the APEX control system 
pear no control numbers, then what real control 
does the APEX system have? 
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Page 19, paragraph 63, line 8 It is 
suggested that the wor should” be replaced 
with “will.'' Rationale: This should be a 
firm (not optional) requirement and "will" 
strengthens the direction. 


Page 21, paragraph 72: The requirement set 
forth in this paragraph states that the re- 
production of all hard-copy APEX material is to 
be accomplished by the Contractor APEX Security 
Officer (CASO) or Assistant Contractor APEX 
Security Officer (ACASO). This requirement 
seems too restrictive and rewording is sug- 
gested as follows: ". . . and shall be accom- 
plished by the CASO or ACASO or their designee 
in accordance with procedures approved by the 
cognizant SIO.'' Rationale: Contractor 
resources would not seem to allow all reproduc- 
tion to be done personally by the CASO or ACASO. 


Page 21, paragraph 77: The (?) at the end 
of this paragraph must be replaced with a para- 
sraph marking. (U) is suggested. 


Page <2, paragraph 81: It is Suggested that 
there be individual accountability for all forms 
of photographic materials. Reportedly, there 

has been numbering and control in the past, and 
it is recommended that this individual account- 
ability practice be continued. Rationale: Con- 
trol is lost over film and photographic materials 
if individual accountability is discontinued. 


Page 23, paragraph 87: The (?) at the end 
of this paragraph must be replaced with a para- 
graph marking. (U) is suggested. 


Page 25, paragraph 95: It is suggested that 
this paragraph be changed to read: ''Personnel 
are to be indoctrinated by a designated APEX 
Security Officer or Contractor APEX Security 
Officer, as deemed appropriate by the cognizant 
Government ASO."" Rationale: In order to be 
consistent with current procedures and in 
consideration of resource limitations, it is 
suggested that both the ASO and the CASO, as 
appropriate, be authorized to indoctrinate 
approved personnel regarding the APEX Special 
Access Control System. 
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